How to generate keystore for Play 2 Framework?

Question

I would like to set HTTPS only for my application. For that, I'm using LetsEncrypt to generate my certificate and to be my CA.

LetsEncrypt generated these files for me:

root@myapp:/opt/letsencrypt# ll /etc/letsencrypt/live/myapp.company.coms/
total 8
drwxr-xr-x 2 root root 4096 Feb 19 15:46 ./
drwx------ 3 root root 4096 Feb 19 15:46 ../
lrwxrwxrwx 1 root root   47 Feb 19 15:46 cert.pem -> ../../archive/myapp.company.coms/cert1.pem
lrwxrwxrwx 1 root root   48 Feb 19 15:46 chain.pem -> ../../archive/myapp.company.coms/chain1.pem
lrwxrwxrwx 1 root root   52 Feb 19 15:46 fullchain.pem -> ../../archive/myapp.company.coms/fullchain1.pem
lrwxrwxrwx 1 root root   50 Feb 19 15:46 privkey.pem -> ../../archive/myapp.company.coms/privkey1.pem

Reading Play 2 Framework documentation, they say this:

https.keyStore - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
https.keyStoreType - The key store type, defaults to JKS
https.keyStorePassword - The password, defaults to a blank password
https.keyStoreAlgorithm - The key store algorithm, defaults to the platforms default algorithm

An example of using these properties might be:

./start -Dhttps.port=9443 -Dhttps.keyStore=/path/to/keystore -Dhttps.keyStorePassword=changeme

Now that I have the key and the certificate generated by LetsEncrypt, how can I generate my keystore to be used by Play 2 Framework ?

Answer 1

If you need PKCS12 type (language-neutral way to store encrypted private keys and certificates):

openssl pkcs12 -export -in ../../archive/myapp.company.coms/fullchain1.pem 
-inkey ../../archive/myapp.company.coms/privkey1.pem 
-out ../../archive/myapp.company.coms/keystore.p12 
-CAfile ../../archive/myapp.company.coms/cert1.pem 
-caname root

(enter your preferred password 2 times or you can use parameter -passout pass:your_password)

Your pkcs12 will be located here: ../../archive/myapp.company.coms/keystore.p12
In your application use: https.keyStoreType=PKCS12

If you need JKS then:
1. Make pkcs12 (as described above)
2. Use:

keytool -importkeystore -srckeystore ../../archive/myapp.company.coms/keystore.p12 
-srcstoretype pkcs12 
-destkeystore ../../archive/myapp.company.coms/cert.jks 
-deststoretype jks

(enter your preferred password 2 times or you can use parameter -storepass your_password)
(enter your password which you use for pkcs12 or you can use parameter -srcstorepass your_password)

Your jks will be located here: ../../archive/myapp.company.coms/cert.jks
In your application use: https.keyStoreType=JKS